I was on the phone with a client recently. She reported that some users of her WordPress website had access to protected custom profile fields.
That was strange behaviour, as I used the Customize Your Community plugin to show the edit/update profile page in the site's layout AND I had coded an if/else to show protected fields.

The root problem

It turns out that when a user produces an error, say: entering a new password, without entering the very same password (typo) in the confirmation field … the error message is shown using the default wp-admin/profile.php backend url/layout!

Potential solution

Solution

Warning: this solution involved editing a core WordPress file: wp-admin/user-edit.php . Editing a core WordPress file is never recommended, as it potentially breaks your installation and has to be re-done every time you update WordPress ( tech note: anyone good with patch files ? Please submit one through the contact form ).

Warning: make a file backup of every file you are about to edit!

Note: Presumption: the code

$current_user->has_cap('edit_posts') === false

handles all requests from users that do not have the authorization to edit posts, so normal subscribed users ('subscribe' role). Feel free to change to whatever you like.